Community

Vulnerability Advisor – Secure your Dev + Ops across containers

Share this post:

We introduced the Vulnerability Advisor (VA) service for IBM® Bluemix Containers and for container images in prior posts. VA provides vulnerability and best practice reports about Docker images hosted in Bluemix. These reports provide a convenient way of quickly knowing if it’s safe to deploy an image in Bluemix. For example, a user would get these tags for each one of his images, indicating if it’s safe to deploy it as a container or not:

deploy

To put things in context, the following is a report for an Ubuntu container with 16 vulnerable packages and 3 security related misconfigurations. The rules defining whether a package is vulnerable are derived from distribution security bulletins, such as Ubuntu Security Notices, CVE information from the National Vulnerability Database and by leveraging information from IBM X-Force Exchange.

dirty-image

This is a very useful feature, but it does not capture the fact that a container (even after starting safe) might become malicious or dangerous. The first reason is that the user could log into the container and change the system on the fly. For example, the user does a docker exec and thinks it would be a good idea to install sshd-server. The second reason is that Vulnerability Advisor updates some rule (e.g. a package vulnerability was discovered after the container started for the first time). Containers age and become more vulnerable than their newly born image, as security experts discover new malware and vulnerabilities for different distributions.

The missing feature is the ability to live-scan containers before they start (as images) and continuously while they are running, using the same rules as the ones for images. This needed feature helps monitoring the latest configuration of running containers and checks for divergence. It usually means the system has non-tracked changes. Remember: a version control system should track all your changes to the system, and a re-deploy should be the only way to make these changes effective. In any case, it would be very useful to detect when these happen. If the system allows them, it’s still very likely that once in a while a developer will log into their containers for a little harmless change. And then, once in a while, that harmless change will be disastrous.

Vulnerability Advisor Live-scanner

We now introduce the Live-scanner service for running containers in Bluemix (notice the part about running containers).

I know what you’re saying: ‘Where can I get these fine new items?’ Well, that’s the gag. Chances are, you’ve bought ’em already! — The Joker (Batman 1989)

If you want to use this new feature, all you have to do is start a container as you did before. In fact, existing containers already have a Vulnerability report. You should get the same Vulnerability report that you would get for images. VA will generate this report within a couple of minutes of starting a new container. And it will generate it again once every day. You do not have to change your container or image in any way to get these reports. More specifically, you do not have to install an agent in the container, a side-car container, make your image use some special base image. It’s all out of the box. Here is an example of a container without vulnerabilities:

clean-container

You can then click on the panel and the same detailed report as the one for images will show the containers Vulnerability report:

clean-container

Try Vulnerability Advisor, it’s free!

VA for running containers is now available to you in production in IBM Bluemix Containers Service. Don’t forget to play with this new feature. It should be easy. Again, all you have to do is take a look at your existing containers in the console.

More Community stories
March 18, 2019

Kubernetes Clusters: Architecture for Rapid, Controlled Cloud App Delivery

Kubernetes clusters are the building blocks of Kubernetes, and they provide the architectural foundation for the platform. The modularity of this building block structure enables availability, scalability, and ease of deployment.

Continue reading

March 13, 2019

VIDEO – Kubernetes Explained

Kubernetes as an orchestration tool that allows you to run and manage your container-based workloads. In Sai Vennam's latest lightboarding video, he's going to take a high-level look at a the reference architecture of managed Kubernetes services and dive a little bit deeper into how you would deploy your microservices. 

Continue reading

March 11, 2019

Worker Node Auto-Scaling GA in IBM Cloud Kubernetes Service

We're extremely excited to announce the general availability of worker node auto-scaling in IBM Cloud Kubernetes Service.

Continue reading